Permission Mappings
The permission mappings configuration file allows you to assign permissions to folders and objects in a Site giving specific Roles rights to the object. The permission mappings config file contains the permissions mappings for the roles defined in the role mappings config file. When applying permissions to Roles, rights are granted by adding permissions inside the tag <allowed-permissions>. The absence of permissions means the permission is denied. Rules have a regex expression that governs the scope of the permissions assigned. A list of available permissions that can be granted to Roles is available after the sample configuration file.
- Permissions are defined per:
site > role > rule
For example, to grant the role component_author the ability to read/write components and read-only to everything else:
1<role name="component_author">
2 <rule regex="/site/website/.*">
3 <allowed-permissions>
4 <permission>Read</permission>
5 </allowed-permissions>
6 </rule>
7 <rule regex="/site/components/.*">
8 <allowed-permissions>
9 <permission>Read</permission>
10 <permission>Write</permission>
11 <permission>Create Content</permission>
12 <permission>Create Folder</permission>
13 </allowed-permissions>
14 </rule>
15 <rule regex="/static-assets/.*">
16 <allowed-permissions>
17 <permission>Read</permission>
18 </allowed-permissions>
19 </rule>
20</role>
A regex of “~DASHBOARD~” governs view access to the publishing workflow related dashboard widgets:
Items Waiting For Approval
Approved Scheduled Items
Recently Published
To grant a role the ability to view these dashboard widgets, simply grant the role the permission Publish to the scope ~DASHBOARD~. For example:
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
</allowed-permissions>
</rule>
To modify/view the permission mappings for your site in Studio, click on 
at the bottom of the Sidebar, then click on Configurations and select Permissions Mapping from the list.
Sample
Here’s a sample Permission Mappings Configuration file (click on the triangle on the left to expand/collapse):
Sample "permission-mappings-config.xml"
1<?xml version="1.0" encoding="UTF-8"?>
2<!--
3 ~ Copyright (C) 2007-2023 Crafter Software Corporation. All Rights Reserved.
4 ~
5 ~ This program is free software: you can redistribute it and/or modify
6 ~ it under the terms of the GNU General Public License version 3 as published by
7 ~ the Free Software Foundation.
8 ~
9 ~ This program is distributed in the hope that it will be useful,
10 ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
11 ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 ~ GNU General Public License for more details.
13 ~
14 ~ You should have received a copy of the GNU General Public License
15 ~ along with this program. If not, see <http://www.gnu.org/licenses/>.
16 -->
17<!-- permission-mappings-config.xml
18
19 This files contains the permissions mappings for the roles defined in
20 role-mappings-config.xml.
21
22 Permissions are defined per:
23 site > role > rule
24
25 Rules have a regex expression that govern the scope of the permissions assigned.
26
27 Absence of permissions means the permission is denied.
28
29 View the sample for a good starting point.
30-->
31<permissions>
32 <version>4.1.2</version>
33 <role name="author">
34 <rule regex="/site/website/.*">
35 <allowed-permissions>
36 <permission>content_read</permission>
37 <permission>content_write</permission>
38 <permission>content_create</permission>
39 <permission>folder_create</permission>
40 <permission>get_children</permission>
41 <permission>content_copy</permission>
42 </allowed-permissions>
43 </rule>
44 <rule regex="/site/components|/site/components/.*">
45 <allowed-permissions>
46 <permission>content_read</permission>
47 <permission>content_write</permission>
48 <permission>content_create</permission>
49 <permission>folder_create</permission>
50 <permission>get_children</permission>
51 <permission>content_copy</permission>
52 </allowed-permissions>
53 </rule>
54 <rule regex="/static-assets|/static-assets/.*">
55 <allowed-permissions>
56 <permission>content_read</permission>
57 <permission>content_write</permission>
58 <permission>content_create</permission>
59 <permission>folder_create</permission>
60 <permission>get_children</permission>
61 <permission>content_copy</permission>
62 </allowed-permissions>
63 </rule>
64 <rule regex=".*">
65 <allowed-permissions>
66 <permission>s3_read</permission>
67 <permission>s3_write</permission>
68 <permission>webdav_read</permission>
69 <permission>webdav_write</permission>
70 <permission>list_plugins</permission>
71 <permission>get_children</permission>
72 <permission>publish_status</permission>
73 <permission>content_read</permission>
74 <permission>content_search</permission>
75 <permission>read_configuration</permission>
76 <permission>get_publishing_queue</permission>
77 </allowed-permissions>
78 </rule>
79 </role>
80 <role name="publisher">
81 <rule regex="/site/.*">
82 <allowed-permissions>
83 <permission>content_read</permission>
84 <permission>content_write</permission>
85 <permission>content_create</permission>
86 <permission>folder_create</permission>
87 <permission>publish</permission>
88 <permission>get_publishing_queue</permission>
89 <permission>cancel_publish</permission>
90 <permission>get_children</permission>
91 <permission>content_copy</permission>
92 </allowed-permissions>
93 </rule>
94 <rule regex="^/site/(?!website/index\.xml)(.*)">
95 <allowed-permissions>
96 <permission>content_delete</permission>
97 <permission>content_read</permission>
98 </allowed-permissions>
99 </rule>
100 <rule regex="/static-assets.*">
101 <allowed-permissions>
102 <permission>content_read</permission>
103 <permission>content_write</permission>
104 <permission>content_create</permission>
105 <permission>folder_create</permission>
106 <permission>publish</permission>
107 <permission>get_publishing_queue</permission>
108 <permission>cancel_publish</permission>
109 <permission>content_delete</permission>
110 <permission>get_children</permission>
111 <permission>content_copy</permission>
112 </allowed-permissions>
113 </rule>
114 <rule regex="~DASHBOARD~">
115 <allowed-permissions>
116 <permission>publish</permission>
117 <permission>get_publishing_queue</permission>
118 <permission>cancel_publish</permission>
119 <permission>publish_status</permission>
120 <permission>content_read</permission>
121 </allowed-permissions>
122 </rule>
123 <rule regex=".*">
124 <allowed-permissions>
125 <permission>s3_read</permission>
126 <permission>s3_write</permission>
127 <permission>webdav_read</permission>
128 <permission>webdav_write</permission>
129 <permission>list_plugins</permission>
130 <permission>get_children</permission>
131 <permission>publish_status</permission>
132 <permission>content_read</permission>
133 <permission>content_search</permission>
134 <permission>read_configuration</permission>
135 <permission>get_publishing_queue</permission>
136 </allowed-permissions>
137 </rule>
138 </role>
139 <role name="developer">
140 <rule regex="/.*">
141 <allowed-permissions>
142 <permission>content_read</permission>
143 <permission>content_write</permission>
144 <permission>publish</permission>
145 <permission>get_publishing_queue</permission>
146 <permission>cancel_publish</permission>
147 <permission>folder_create</permission>
148 <permission>content_create</permission>
149 <permission>change_content_type</permission>
150 <permission>write_configuration</permission>
151 <permission>add_remote</permission>
152 <permission>list_remotes</permission>
153 <permission>pull_from_remote</permission>
154 <permission>push_to_remote</permission>
155 <permission>rebuild_database</permission>
156 <permission>remove_remote</permission>
157 <permission>site_status</permission>
158 <permission>resolve_conflict</permission>
159 <permission>site_diff_conflicted_file</permission>
160 <permission>commit_resolution</permission>
161 <permission>cancel_failed_pull</permission>
162 <permission>encryption_tool</permission>
163 <permission>get_children</permission>
164 <permission>publish_status</permission>
165 <permission>content_copy</permission>
166 </allowed-permissions>
167 </rule>
168 <rule regex="^/(?!site/website/index\.xml)(.*)">
169 <allowed-permissions>
170 <permission>content_delete</permission>
171 <permission>content_read</permission>
172 </allowed-permissions>
173 </rule>
174 <rule regex="~DASHBOARD~">
175 <allowed-permissions>
176 <permission>publish</permission>
177 <permission>get_publishing_queue</permission>
178 <permission>cancel_publish</permission>
179 <permission>write_configuration</permission>
180 <permission>add_remote</permission>
181 <permission>list_remotes</permission>
182 <permission>pull_from_remote</permission>
183 <permission>push_to_remote</permission>
184 <permission>rebuild_database</permission>
185 <permission>remove_remote</permission>
186 <permission>site_status</permission>
187 <permission>resolve_conflict</permission>
188 <permission>site_diff_conflicted_file</permission>
189 <permission>commit_resolution</permission>
190 <permission>cancel_failed_pull</permission>
191 <permission>encryption_tool</permission>
192 <permission>publish_status</permission>
193 <permission>content_read</permission>
194 </allowed-permissions>
195 </rule>
196 <rule regex=".*">
197 <allowed-permissions>
198 <permission>s3_read</permission>
199 <permission>s3_write</permission>
200 <permission>webdav_read</permission>
201 <permission>webdav_write</permission>
202 <permission>list_plugins</permission>
203 <permission>install_plugins</permission>
204 <permission>get_children</permission>
205 <permission>publish_status</permission>
206 <permission>remove_plugins</permission>
207 <permission>content_read</permission>
208 <permission>content_search</permission>
209 <permission>view_logs</permission>
210 <permission>audit_log</permission>
211 <permission>read_configuration</permission>
212 <permission>write_configuration</permission>
213 <permission>set_item_states</permission>
214 </allowed-permissions>
215 </rule>
216 </role>
217 <role name="admin">
218 <rule regex="/.*">
219 <allowed-permissions>
220 <permission>content_read</permission>
221 <permission>content_write</permission>
222 <permission>publish</permission>
223 <permission>get_publishing_queue</permission>
224 <permission>cancel_publish</permission>
225 <permission>folder_create</permission>
226 <permission>content_create</permission>
227 <permission>change_content_type</permission>
228 <permission>add_remote</permission>
229 <permission>list_remotes</permission>
230 <permission>pull_from_remote</permission>
231 <permission>push_to_remote</permission>
232 <permission>rebuild_database</permission>
233 <permission>remove_remote</permission>
234 <permission>write_configuration</permission>
235 <permission>site_status</permission>
236 <permission>resolve_conflict</permission>
237 <permission>site_diff_conflicted_file</permission>
238 <permission>commit_resolution</permission>
239 <permission>cancel_failed_pull</permission>
240 <permission>encryption_tool</permission>
241 <permission>get_children</permission>
242 <permission>edit_site</permission>
243 <permission>publish_status</permission>
244 <permission>publish_clear_lock</permission>
245 <permission>unlock_repository</permission>
246 <permission>item_unlock</permission>
247 <permission>content_copy</permission>
248 <permission>repair_repository</permission>
249 </allowed-permissions>
250 </rule>
251 <rule regex="^/(?!site/website/index\.xml)(.*)">
252 <allowed-permissions>
253 <permission>content_delete</permission>
254 <permission>content_read</permission>
255 </allowed-permissions>
256 </rule>
257 <rule regex="~DASHBOARD~">
258 <allowed-permissions>
259 <permission>publish</permission>
260 <permission>get_publishing_queue</permission>
261 <permission>cancel_publish</permission>
262 <permission>add_remote</permission>
263 <permission>list_remotes</permission>
264 <permission>pull_from_remote</permission>
265 <permission>push_to_remote</permission>
266 <permission>rebuild_database</permission>
267 <permission>remove_remote</permission>
268 <permission>write_configuration</permission>
269 <permission>site_status</permission>
270 <permission>resolve_conflict</permission>
271 <permission>site_diff_conflicted_file</permission>
272 <permission>commit_resolution</permission>
273 <permission>cancel_failed_pull</permission>
274 <permission>encryption_tool</permission>
275 <permission>publish_status</permission>
276 <permission>publish_clear_lock</permission>
277 <permission>unlock_repository</permission>
278 <permission>item_unlock</permission>
279 <permission>content_read</permission>
280 <permission>repair_repository</permission>
281 </allowed-permissions>
282 </rule>
283 <rule regex=".*">
284 <allowed-permissions>
285 <permission>s3_read</permission>
286 <permission>s3_write</permission>
287 <permission>webdav_read</permission>
288 <permission>webdav_write</permission>
289 <permission>edit_site</permission>
290 <permission>list_plugins</permission>
291 <permission>install_plugins</permission>
292 <permission>get_children</permission>
293 <permission>publish_status</permission>
294 <permission>item_unlock</permission>
295 <permission>remove_plugins</permission>
296 <permission>content_read</permission>
297 <permission>content_search</permission>
298 <permission>view_logs</permission>
299 <permission>start_stop_publisher</permission>
300 <permission>read_configuration</permission>
301 <permission>write_configuration</permission>
302 <permission>set_item_states</permission>
303 </allowed-permissions>
304 </rule>
305 </role>
306 <role name="reviewer">
307 <rule regex="/.*">
308 <allowed-permissions>
309 <permission>content_read</permission>
310 <permission>publish</permission>
311 <permission>get_publishing_queue</permission>
312 <permission>cancel_publish</permission>
313 <permission>get_children</permission>
314 <permission>publish_status</permission>
315 </allowed-permissions>
316 </rule>
317 <rule regex="~DASHBOARD~">
318 <allowed-permissions>
319 <permission>publish</permission>
320 <permission>get_publishing_queue</permission>
321 <permission>cancel_publish</permission>
322 <permission>publish_status</permission>
323 <permission>content_read</permission>
324 </allowed-permissions>
325 </rule>
326 <rule regex=".*">
327 <allowed-permissions>
328 <permission>s3_read</permission>
329 <permission>webdav_read</permission>
330 <permission>list_plugins</permission>
331 <permission>get_children</permission>
332 <permission>publish_status</permission>
333 <permission>content_read</permission>
334 <permission>content_search</permission>
335 <permission>read_configuration</permission>
336 </allowed-permissions>
337 </rule>
338 </role>
339 <role name="*">
340 <rule regex="/.*">
341 <allowed-permissions>
342 <permission>content_read</permission>
343 <permission>get_children</permission>
344 <permission>publish_status</permission>
345 </allowed-permissions>
346 </rule>
347 <rule regex=".*">
348 <allowed-permissions>
349 <permission>s3_read</permission>
350 <permission>webdav_read</permission>
351 <permission>list_plugins</permission>
352 <permission>get_children</permission>
353 <permission>publish_status</permission>
354 <permission>content_read</permission>
355 <permission>content_search</permission>
356 </allowed-permissions>
357 </rule>
358 </role>
359</permissions>
Description
List of available permissions
Permission |
Description |
|---|---|
add_remote |
User is permitted to add a remote repository |
audit_log |
User is permitted to access the audit log |
cancel_failed_pull |
User is permitted to cancel a failed pull from a repository |
cancel_publish |
User is permitted to cancel a publish request |
change content type |
User is permitted to change content type |
commit_resolution |
User is permitted to commit resolution |
content_create |
User is permitted to create new content |
folder_create |
User is permitted to create new folder |
create_cluster |
User is permitted to create cluster |
create_groups |
User is permitted to create new groups |
create_users |
User is permitted to create new users |
create-site |
User is permitted to create projects |
delete_cluster |
User is permitted to delete clusters |
content_delete |
User is permitted to delete content |
delete_groups |
User is permitted to delete groups |
delete_users |
User is permitted to delete users |
edit_site |
User is permitted to edit sites |
encryption_tool |
User is permitted to access the encryption tool |
get_children |
User is permitted to call getChildren* APIs for browsing project content |
get_publishing_queue |
User is permitted to get the list of packages in the publishing queue |
list_remotes |
User is permitted to list remote repositories for a project |
publish |
User is permitted to approve submitted content for publishing or publish content |
pull_from_remote |
User is permitted to pull content from remote repository to project content repository |
push_to_remote |
User is permitted to push content to remote repository from project content repository |
content_read |
User is permitted to read content |
read_cluster |
User is permitted to read cluster |
read_groups |
User is permitted to read groups |
read_logs |
User is permitted to read logs |
read_users |
User is permitted to read users |
rebuild_database |
User is permitted to rebuild Crafter Studio’s database and object state with the underlying repository |
remove_remote |
User is permitted to remove remote repository from project content repository |
resolve_conflict |
User is permitted to resolve a conflict for a file by accepting ours or theirs |
s3 read |
User is permitted to get a list of items from an S3 bucket |
s3 write |
User is permitted to upload a file to an S3 bucket |
site_diff_conflicted_file |
User is permitted to get the difference between |
site_status |
User is permitted to get status of repository for a project |
update_cluster |
User is permitted to update cluster |
update_groups |
User is permitted to update groups |
update_users |
User is permitted to update users |
webdav_read |
User is permitted to get a list of items from a WebDAV server |
webdav_write |
User is permitted to upload a file to a WebDAV server |
content_write |
User is permitted to edit content |
write_configuration |
User is permitted to write configuration content for project |
write_global_configuration |
User is permitted to write global configuration content for Studio |
list_plugins |
User is permitted to list installed plugins |
install_plugins |
User is permitted to install plugins |
/permissions/site/role@nameRole name
/permissions/site/role/rule@regexRegular expression to filter paths where permission is applied. The value regex=”~DASHBOARD~” is a special regular expression applied for content displayed in dashboard widgets only
/permissions/site/role/rule/allowed-permissions/permissionAllowed permission for role and rule (possible values given in the table above)